Willem Jonker, CEO of EIT Digital, discusses the increasing threat of cybersecurity breaches in Europe and what businesses can do to protect their systems and reputation.
In a world of constant digital innovation, where everything from our coffee machines to the central heating can be linked to the internet, the looming threat of cybersecurity breaches is forever growing.
Recognising the increasing need for innovation in cybersecurity, EIT Digital – a leading digital innovation and entrepreneurial education organisation – is committed to helping Europe respond to major cybersecurity challenges. As a pan-European ecosystem, EIT Digital offers SMEs, start-ups, universities, and research institutes the opportunity to collaborate in an open innovation setting.
The organisation works with many entrepreneurial partners to build digital innovations and new ventures within several strategic areas, of which cybersecurity is a key focus. To find out more about the company’s role in furthering innovation in cybersecurity in Europe, Innovation News Network spoke to Willem Jonker, CEO of EIT Digital.
Do you think cyberthreats are impacting Europe’s path to prosperity and, if so, how?
We are currently seeing an enormous growth in cyber threats, with cybersecurity issues being reported almost daily in the newspapers. Addressing cybersecurity is a complex matter because there are so many different elements involved. The basic notion of cybersecurity is very simple: as soon as you equip a device with software and you connect that to a network, you open up a vulnerability. That is what, as a society, we have been increasingly doing as we continue to hook up systems and devices to networks.
In terms of addressing what hackers are interested in, the motivations can be different. These people are interested in data, but they also want to block your operations. Possible motivations could be to gain intelligence, to carry out an attack as part of a cyberwar, or it could be related to money. All cyberthreats have different origins and therefore require different methods of dealing with them. The sad news is that you cannot protect yourself from everything. The good news is that you can put a variety of preventative measures in place to reduce exposure.
Cybersecurity protection methods, however, are never 100% secure. Whether you are driving in real traffic on the road or in cyberspace, you are never completely safe. Keeping safe in cyberspace requires a combination of technology, protection, and behaviour. You can have firewalls and a lot of data protection, but if you, as a user, are not taking a certain behavioural attitude in how you deal with your systems and data, you are still vulnerable.
If your data is exposed, you are liable as a company and you will receive a fine. If a critical infrastructure is disabled, it can have an enormous economic impact. If you get ransomware installed on your machine, you must pay a ransom which costs money. Getting hit by a ransomware attack is bad, but it does not mean that the complete economy will stop.
I believe that we can harness cybersecurity. We are not able to eradicate cyberattacks completely, but we are able to utilise cybersecurity to a level where they do not become a serious threat to European prosperity.
Do you think that businesses, particularly start-ups, underestimate cybersecurity as a threat?
When it comes to cybersecurity, there is no generic attitude. Some people are very much aware and take it into account, whilst others are under the impression that it will never happen to them.
It is also important to consider the difference in resources available to smaller start-ups and large corporations. Governments try to build regulations to prevent the misuse of data.
Start-ups can, however, struggle to fully implement compliancy and protect themselves against possible negative consequences. Large corporations that have much more experience or bigger legal departments often also have deeper pockets with which to pay fines when there are breaches. This may distort the balance to the disadvantage of the smaller players. Feedback we receive from our start-up ecosystems also indicates that regulation can become an innovation inhibitor.
That is not what the intention is, but it may be a side effect. I think, especially in cybersecurity, that is a difficult trade-off because cybersecurity and usability are always competing elements.
As soon as you start introducing things like keywords, double identification, installation of virus scanners, or even clicking to accept cookies before you can enter a website, systems become more complex to use. To put it mildly, that is another trade-off. You can make it so secure that it is the system that nobody can touch, not even the user, but then that is not the system you want to have. The other extreme is a system where nothing is installed at all. This leaves us with a challenging balancing act.
What impact do you think the EU Cyber Security Act has had on the European economy and practices since it was brought into force?
Issuing an act does not solve an issue. An act gives you the legal framework in which you can operate, and it can install entities or institutions that are going to act in that domain. An act can also give more power to certain institutions to prevent attacks and enable more rights to follow traffic behaviour on the framework.
Are these acts needed and useful? Absolutely. Will they lead to a safer world? Absolutely. Is issuing the act enough? Absolutely not.
Acts are living things – they need to be deployed and implemented. They are a framework, but new threats arrive. These acts are issued at the EU level and are then picked up by the member states. Then member states will have to implement the consequences of these acts in the national legislation.
It creates an awareness; it provides for action; and it is a necessary ingredient. At a European level, this is taken seriously.
Cybersecurity is a key focus area for EIT Digital. Can you elaborate on the work you do in this area?
We are focusing on a couple of application domains, and what we call digital technology. Within this, we have two important focal areas: Artificial Intelligence (AI) and cybersecurity. Concretely, what we are doing is supporting activities that build cybersecurity solutions.
We are mainly focused on creating ventures. We believe that the best way to advance technology is to package it as a venture, which can either grow by itself or that can be acquired.
We are building and supporting ventures in the cybersecurity space. A very good example of a company we helped to grow is SecurityMatters, a cybersecurity solutions provider. After it grew significantly in a relatively short period of time, the organisation was sold off and acquired by a security company.
We are also carrying out activities focusing specifically on the security of Internet of Things (IoT). What you see increasingly is that systems are equipped with software functionality. Systems are connected to the network and therefore become vulnerable.
Next to that, you have operational technology (OT) security and that is embedded into systems: where critical infrastructures have control software. Those applications have, to a certain extent, similar challenges to the IT systems, but they also have very specific challenges. If you gain control over these embedded systems or OT, you could do harmful things in the real world. For instance, if you obtained control of the software system in an aeroplane, it could be very dangerous. Therefore, part of the solution is a complete disconnect.
To explain this further, you can take a car as an example. The critical driving infrastructure is a different software infrastructure than the entertainment infrastructure, which is continuously connected to enable regular traffic updates for example. That is then completely disconnected from your driving system, and you cannot use your navigation system to get to the brakes and stop them from functioning because the brakes are also software.
In short, there are certain architectural principles to protect. Those must be very well understood in that domain, but you cannot always avoid a remote access. If you look at your mobile phone, you occasionally receive updates over the air. For a phone, these updates are less harmful, but they could be more serious for a car.
In our Innovation Factory, these are the areas that we try to focus on. This Factory is part of our innovation funnel, where we identify interesting technology and build fences around it. This scouting of interesting technologies is then guided by our priority areas, including cybersecurity.
Do you think that cybersecurity in Europe needs more investment as digital innovation increases?
I think cybersecurity needs more attention and awareness. It is hard to say whether it needs more investment, especially because cybersecurity is such a complex element where education and the human factor play such an important role. It is not just about proving investment money against having new technologies. You can have great technology but, if people keep the same behaviour that makes them vulnerable.
Moreover, I think we need to see investment as more than just money. We need to invest in awareness, skilled people, further training, and ensuring that the cybersecurity tools we provide are kept on par with the attacks that occur.
Investing significantly more money into cybersecurity is not the solution. We first need to identify and address what we want to change and what the main vulnerabilities are.
For me, raising awareness of common cybersecurity breaches and the best preventative measures to implement is more important than simply investing a lot of money into more security systems.
For the final point, I just wanted to touch on the idea of digital sovereignty. What is your opinion on this?
Digital sovereignty is about choice and the freedom to operate. When you talk about digital sovereignty, you have to classify different technologies. You must determine which technologies are vital for you to own and to have full control over. Then you can identify which technologies can be co-owned and shared with other trusted actors.
With some technologies, it is good enough to simply have access. You need to establish a good analysis on what technologies need to be owned and which ones you only need access to.
The essence of digital sovereignty is that you have a very clear understanding with the purpose of freedom to operate and have a choice. If it comes to security technology, then you will have to control certain technology yourself. You will have to build security operating centres that you have under your full control.
It is a misunderstanding that European digital sovereignty means that Europe has to control everything to protect itself from the rest of the world and be an island. In digital, there are no islands. That, for me, is the notion of digital sovereignty.
Please note, this article will also appear in the eighth edition of our quarterly publication.